Database Security

advertisement
CAN A DATABASE
REALLY BE SECURE?
PRESENTED BY AUDREY WILLIAMS
OVERVIEW







What’s the purpose of a database security system?
Why should an organization bother to implement a
database security system?
What kinds of database security features can protect
the DBMS?
What are the responsibilities of the database
administrator?
Exposing classic database intruders
Summation
Bibliography
2
DATABASE SECURITY

What’s the purpose of a Database Security
System?

To protect the stored data that is being collected
to use in meaningful ways such as documents,
charts, reports.

Also, to secure the data from intruders

Spafford implies, “the only truly secure system is
one that is powered off, cast in a block of
concrete and sealed in a lead-lined room with
armed guards - and even then I have my
doubts.”
3
DATABASE SECURITY
In response to Mr. Spafford’s statement –

Why should an organization bother to implement a
database security system?


To protect the company’s clientele from predators that
will sell the data to the highest bidder.
Database intrusions and thefts will destroy or reduce
the company’s credibility & profits.
4
DATABASE SECURITY




[Figure 1] demonstrates that the path of
a source message comes from the client
and is sent to the LAN/WAN router.
Next, the source message is passed to
the server. The requested data is
passed to the internet, internet router,
and firewall to the DBMS to retrieve
requested information.
After the destination server receives the
message, the DBMS sends the message
back to the client as it was forwarded in
the same order.
Client Workstation
Figure 1
Client/Server/DB
Internet &
Internet router/
firewall
Hacker
Intrusion
DBMS
w/Server
LAN/Wan
hd/sw
router/firewalls
Client Ntwk
router
Servers
So, the entry point for Hackers to
breach the system is the internet,
internet router, and firewall connection
which places the DBMS in jeopardy of
data intrusion.
5
DATABASE SECURITY FEATURES

What kinds of database security features can protect the DBMS?


Digital Certificate is a unique identifier given to an entity to provide
authentication of a computer, document, or webpage. Then, a third
party such as Equifax certifies that the document is legal or illegal.

Encryptions alter the data so unauthorized users cannot view data
information.

Firewalls protect a network from unauthorized access from the internet.

Proxy Servers shield the requests between the client computers inside a
private network and the internet.

Security Socket Layer connects and transmits encrypted data.

S-HTTP (secure hypertext transport protocol) transmits web pages
securely.
So, by configuring these features with internet and network components, it
is possible to provide privacy and security to reduce database security
intrusions.
6
RESPONSIBLITIES OF THE
DATABASE ADMINISTRATOR

To assign unique password & user identification for users to have
permission to access, read and or manipulate specific information at
a given time.

Enable various data layers that secure the access control, auditing
and authentication, encryption, and integrity controls.

Perform a “vulnerability scan” on a routine basis to locate
configuration problems in the data layers of the DBMS software.

Evaluate and perform a “vulnerability assessment” against the
database. This assessment makes an effort to locate the cracks in
the database security.
7
RESPONSIBLITIES OF THE
DATABASE ADMINISTRATOR

To continually monitor the database security standards to
make sure that the company’s DBMS is in compliance
with the database security standards.

Two features of the database security compliance must be utilized.


Patch Management Method that locates problems in the software,
fixes and updates the cracks in the database security.
Management & Review of Public & Granted Data Access relates to
locating data objects in the database, such as the table that holds
data and evaluates who is entitled to manipulate or view the data
objects.
8
RESPONSIBLITIES OF THE
DATABASE ADMINISTRATOR


Always keep in mind that whenever a
system has internet and network
connections attached to a DBMS,
security breaches will occur.
Perform routine backup recovery
procedures incase of electrical outage
and intruder attacks that can damage
the DBMS.
9
THE CLASSIC DATABASE INTRUDERS

The Shifty Employees
& Malicious Hackers
10
THE CLASSIC DATABASE INTRUDERS




Employees
For example, a salesperson in the sales department should have
access to company prices of the product list instead of data access
of employee birth dates, extensive clientele information, home
addresses, and salary information.
Adding to the example above, the salesperson learns that they will
be fired or laid off; the salesperson could alter and copy the
database information for the purpose of using the client list with
their new job.
So, the company and the database administrator are to blame for
the employee having access to various amounts of data to steal.
11
THE CLASSIC DATABASE INTRUDERS

The Black Hat Hacker

Is a person that hacks into a
security system to retrieve data
from a computer, network, and
database system with the
intent to commit and terrorize
the victims in a criminal and
maliciously act of blackmail,
damage and larceny.

The purpose is to gain system
controls of the individual or the
organization.
12
THE CLASSIC DATABASE INTRUDERS
Hackers believe: “The best hackers never get caught!”
 However in 2006, 42% of cybercrimes were committed
by hackers.
 Then, the manpower from law enforcement is limited in
size to fully pursue every high-tech crime that is
committed, so the most costly crimes are the cases that
are pursued by law enforcement.
 Yet, in 2006, global tasks forces in major cities are
developing and devoting more manpower for the goal of
locating, charging, arresting, and sentencing hackers for
their cybercrimes.

In 2006, one hacker stole 165,000 consumer identities and
another hacker stole $800,000 from local banks through
identity thefts.
13
SUMMATION


It seems that companies cannot deter or stop predators
from hacking into DBMS through the internet and
network connections.
So, by applying database security features and routine
maintenance on the DBMS to:




Monitor the database security compliances
Perform vulnerability assessments and scans to discover cracks
in the database security
Reconfigure data access parameters to lock out imminent
attackers
Prevent employees from accessing and viewing more data than
necessary should maintain the database security to protect the
data from most intrusions and thefts.
14
BIBLIOGRAPHY






WIKIPEDIA
DOJ & FBI
Merriam-Webster
L.A.P.D.
N.Y.P.D
Spafford. Eugene H. O'Reilly. S. Garfinkel. Web Security
& Commerce. Retrieved from Internet 31.Mar.2007.
http://en.wikipedia.org/wiki/Hacker. Article was created
in 1997.
THE END
15
Download